Only $35.99/year

Practice Test 3 Unknown Questions

Terms in this set (62)

You are correct, the answer is C.

A. Requiring application users to maintain another password may not be popular. A more fundamental reason is that many cloud service providers expose their services via application programming interfaces (APIs). These APIs are designed to accept tokens, not passwords. Ideally, they use an open standard such as Security Assertion Markup Language (SAML) or WS-Federation for exchanging authentication and authorization information. An authentication scheme needs to take into account the type of application users—organization employees, employees of partner organizations, customers or a combination of user types. Additionally, the increasing trend is for web applications to be accessible by multiple device types. Therefore, the organization may need to employ a "bring your own identity" scheme of authentication. An appropriate mechanism (such as a security token, smart card, one-time password via short message service [SMS] or telephone) based on assessed risk should be used to confirm user identity.

B. In a Platform as a Service (PaaS) cloud computing model, network security remains the responsibility of the cloud service provider. Because multiple tenants use the cloud service provider's infrastructure, insisting on a specific firewall configuration is not practical, although it may be possible to agree to some arrangements when negotiating the service contract. The "deperimeterized" nature of cloud computing enhances the need for strong application security controls to be designed, tested and implemented.

C. With cloud computing, an application does not run on an organization's trusted environment. Instead, it runs on infrastructure shared by other tenants and administered by people not employed by the organization. Therefore, depending on the nature of the data, there may be a greater need to rely on encryption to protect privacy. This may apply not just to data when they are stored in the cloud, but also during transmission. However, careful consideration must be given to the nature of the data to understand what degree of protection is needed. Using encryption can increase complexity and have performance implications. The possibility of using compensating controls, e.g., protecting stored data through database access controls, should also be considered.

D. In a PaaS cloud computing model, the service provider supplies the computing infrastructure and development frameworks. While requirements for basic infrastructure security can be discussed and possibly included as contract terms, responsibility for building a secure application rests with the customer organization. Given that cloud computing enhances some threats present with traditional in-house hosted systems as well as introducing some new threats, it is particularly important that application security controls be given strong focus during application development.
You answered C. The correct answer is A.

A. An application-level gateway is the best way to protect against hacking because it can be configured with detailed rules that describe the type of user or connection that is or is not permitted. It analyzes, in detail, each package—not only in layers one through four of the Open System Interconnection (OSI) model, but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol [HTTP], File Transfer Protocol [FTP], Simple Network Management Protocol [SNMP], etc.).

B. For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet, creating security exposure.

C. Proxy servers can provide excellent protection, but depending on the type of proxy, they may not be able to examine traffic as effectively as an application gateway. For proxy servers to work, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program.

D. Port scanning is used to detect vulnerabilities or open ports on a network, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping.